1. Technical Field
The present disclosure relates to technologies of network telecommunications, and particularly, to a method for defending against session hijacking attacks and a firewall.
2. Description of Related Art
HTTP protocol is stateless and is not provided with a mechanism of connecting different kinds of requests/responses submitted by a user. Each of the requests/responses is an independent affair. In order to provide stateful HTTP, WEB applications need to dynamically interact with the user to maintain interaction state data between HTTP and a legal client side. The dynamic interaction process is called session. At first, the state data is transmitted to the legal client side for storage and then is returned for validation together with the request submitted by the legal client side. The state saving mechanism is based on the premise that the legal client side is authenticated such that the integrity and confidentiality of the state data can be ensured. However, in practical application, an attacker may steal state information through a session hijacking loophole to achieve an illegal access by personating as other authenticated clients. During the login authentication process, after a user name and a password inputted by the user have been validated, the application returns the state information to the legal client side. The state information is returned with the next request from the user, and the application validates the identification of the user according to the information and further returns a correct response page. If the state information is hijacked by the attacker in some way, the attacker may bypass the authorization to perform the illegal assess by personating as other clients. The process of hijacking the state information is called session hijacking. There are more than ten ways that can be used for realizing the session hijacking attack, generally including XSS (also known as CSS, Cross Site Script) session hijacking, CSRF (Cross-site Request Forgery) session hijacking, fixed session attack, session token guessing, session token brute force, log-leaked token, and etc. Currently, an application layer firewall is used as a defense against one kind of the session hijackings mentioned above, such as the XSS session hijacking based on characteristics and the CSRF session hijacking based on tokens. However, defenses based on characteristics are passive defenses which cannot defend against session hijackings beforehand and may cause false reports and missing reports easily. On the other hand, defenses based on tokens have disadvantages including singularity and time dependency. Additionally, if the firewall is configured to defend against one kind of the session hijacking attacks, the session still can be hijacked via other kinds of session hijacking attacks and the firewall still cannot defend against the new kind of session hijacking attack.